Multi-domain secure computer system

ABSTRACT

Disclosed is a hardware based secure multi-level security computing system system. The system comprises a chassis enclosing multiple separate, secure computer devices or domains, each within an electromagnetic shielding Faraday cage. The chassis structure includes internal electromagnetic shields and other features to prevent cross domain electromagnetic interference or compromising emanations. The chassis may be the size of a standard computer tower. The computer devices or domains may be configured for handling information of different classification levels. Optionally, each of the computer devices may operate on significantly less power than a standard computer. Preferably, each computer operates on no more than 50 Watts of power, more preferably on less than 35 Watts of power.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a continuation-in-part of U.S. application Ser. No.12/182,913, filed Jul. 30, 2008, which claimed the benefit from U.S.Provisional Application Ser. No. 60/952,678, filed Jul. 30, 2007, all ofwhich are incorporated herein by reference in their entirety.

TECHNICAL FIELD

The present invention relates generally to the field of computersystems, and more particularly, a multi-domain, multi-level securitycomputer system.

BACKGROUND Definitions

For purposes of convenience without limitation, the followingdefinitions are provided used in this disclosure.

(a) Computer: A computer is a programmable machine designed tosequentially and automatically carry out a sequence of arithmetic orlogical operations. Conventionally, a computer may include a 1)processor or Computer Processing Unit (CPU) that carries arithmetic andlogical operations, 2) data storage device or memory for temporarystorage of data for use by the CPU to read data in order to carry outoperations and to write the results of the operations, 3) a processorhandling chip or PCH for sequencing and control elements that can changethe order of operations and direct communications between the CPU,memory and peripherals, 4) a motherboard and 5) a power source or powersupply. The motherboard generally may host the CPU, memory, and PCHcontrol elements in addition to providing communications between the CPUand control elements to connections for various peripheral devices andcommunications systems external to the computer. The motherboard may ormay not also host a video or graphics adaptor to generate informationcompatible with a monitor or display device. Present day CPUs aretrending in the direction of hosting the PCH and the video adaptorcapabilities leaving motherboards, for the most part to provide a pathto connectors large enough to connect with peripherals, display devices,and network communications.

(b) Peripherals: Peripheral devices or peripherals allow information tobe entered (input) into the computer from external sources and allow theresults of the computers operations to be sent out (output). Examples ofperipherals include, hard disk drives (HDD) for mass data storage, DVDdrives for more permanent data storage and data access, Video Adaptorsto provide signaling of information to monitors such as Liquid CrystalDisplays (LCDs) or Light Emitting Diode (LED) displays, printers,network interfaces to provide a path between other computing devices andremote peripherals, user input devices such as keyboards, mice, andtrackballs, to name a few.

(c) Network; a communications system that allows sharing of resourcesand information among interconnected computers and peripherals. In manycases, the term network extends past the communications system toinclude the greater realm of the devices connected to the communicationssystem such as the computers and peripherals. The Internet is a network.

(d) Domain: A domain when used as a name is an identification label thatdefines a realm of administrative autonomy, authority, or control in theInternet Technologies when referring to networks in the greater sensethan only communications. In the U.S. Government, domains are often usedto refer to parts of the government internet that are segmented intoindividual network enclaves for purposes of information security.Specifically, the U.S. Government has setup three primary and otherassociated enterprise networks or domains for UNCLASSIFIED information,SECRET information, and TOP SECRET information. Similarly,non-government organizations also setup separate networks or domains orlogically divide networks or domains for purposes of informationsecurity. A computer that connects to one of these networks becomes partof the domain.

(f) Multi-Level Security. The Government refers to computing devices andperipherals that can safely operate at more than one security level(i.e., connect to more than one security level or domain network, ormore than one category of security) as a Multi-Level Security (MLS)device. Specific certification by a government organization, such as theNational Security Agency, is required for all MLS devices prior to thatdevice connecting to more than one government security network of adifferent security level or category of security. Conventionalapproaches have been unable to provide an effective desktop multi-levelsecurity computing system (also referred to as a multi-domain securecomputer system.)

(g) Electromagnetic Field (EMF). An electromagnetic field (also EMF orEM field) is a physical field produced by moving electrically chargedobjects. It affects the behavior of charged objects in the vicinity ofthe field. An electromagnetic field extends indefinitely throughoutspace and describes the electromagnetic interaction. The field can beviewed as the combination of an electric field and a magnetic field. Theelectric field is produced by stationary charges, and the magnetic fieldby moving charges (currents); these two are often described as thesources of the field. An electromagnetic field can be regarded as asmooth, continuous field, propagated in a wavelike manner.

(h) Electromagnetic Interference (EMI). Electromagnetic interference isa disturbance caused by an EMF's transference of energy from the sourceof the EMF to another device or circuit. The source and the affectedcircuit can be internal to the same device or between two independentdevices. The disturbance may interrupt, obstruct, or otherwise degradeor limit the effective performance of an electrical circuit. The sourcemay be any object, artificial or natural, that carries rapidly changingelectrical currents or magnetic fields (EMF), such as another adjacentelectrical circuit. A Computer Processing Unit (CPU) accomplishes itstasks through rapid switching of electrical current. A power supply isanother example. Therefore, a CPU is a source of an EMF and can causeEMI to adjacent circuits. EMI can be intentionally used for jamming, asin some forms of electronic warfare. Additionally, the ability to listento the emanations of EMF/EMI from a CPU or other parts of a computerexists and can be recorded and processed into meaningful information.

BACKGROUND DESCRIPTION

The U.S. Government protects information sensitive to the country'snational security (whether written, printed, spoken, or electronic), bycategorizing the sensitivity of information and assigning it to acategory referred to as “security classification.” Generally speaking,the classifications are characterized as UNCLASSIFIED (least level ofprotection for sensitive information, but includes official use only)SECRET (more sensitive) and TOP SECRET (most sensitive). Each categoryof classification is assigned procedural and electronic protectionmeasures. Additionally, within these three broader classifications,additional subcategories have been created directing special handling ofthe information to further protect the sensitivities associated withinformation origin or content, and/or to limit the number of personshaving access to the information.

To disseminate and allow for global access of information in thesesecurity classifications, the U.S. Government supports individual,isolated, physically and logically separated, enterprise networks anddomains. The networks are protected by a number of technologies with thelevel of protection increasing dependent upon the sensitivity associatedwithin each classification and sub classification. In the civiliansector (such as the medical, financial, utility, legal, and otherindustries) similar concepts exist for protecting information forpersonal or financial data, national security infrastructure or systems(power grids, waterway control, etc.), and client-doctor/attorneyrelationships. In the civilian sector however, most often protection isaccomplished by logically (as opposed to physically) separating publicaccess networks from internal, sensitive networks through devicesreferred to as “firewalls,” which creates an inner domain connected tobut protected from the public access Internet. The difference here isthat the civilian sector often uses a single network, logically dividedinto two domains procedurally limiting what can enter or exit a localsite. The U.S. Government maintains physically separate, global,duplicative, isolated, and access controlled networks. The concept ofprotecting information based on “separation and control” of data isclearly the most common practice of information security in both thegovernment and civilian sectors.

Vulnerabilities, even when data has been physically or logicallyseparated, are many. Perhaps the most significant is the vulnerabilitycreated by the human operator, where through either a malicious orunintentional act, the human allows information from one classificationto be mixed with information of a second classification, creating apotential for unintended release of information. This may be exemplifiedby information residing on one network or domain exchanged ortransferred to a second network or domain of differing datasensitivities (different classification) thereby exposing theinformation to persons not “cleared” or not authorized to hold thatinformation. When this exposure occurs, it is referred to as“compromising data or information.” Therefore, protection of the data byprocedural and electronic logic is referred to as access control. Accesscontrol is implemented and achieved through procedures (e.g. controllingaccess to a building or space where a computer or network may be placed,or controlling access to the internal components of a computer),electronic measures (e.g. password protection to a computer on anetwork), or in some cases, a combination of both (e.g. issuance and useof a personal SMART Cards for users.) In an attempt to limit risksassociated with vulnerability, government and non-government managers ofinformation place into practice procedural and electronic “accesscontrol” measures.

When organizations implement multiple, separated networks for securitypurposes, any computer used to access information on these networks isphysically or logically connected to only one network at a time, inorder to minimize the possibility that information on a network might beinadvertently transmitted to a network with a different classification.Therefore, a user must have a separate computer connected to each of thedifferent, separated networks. When multiple networks and computers areused, the physical work space becomes dominated by the requirement toprovide multiple computers to every such user. While this approach canseparate information of concern, other vulnerabilities are created andnew problems are introduced to the workspace. For instance, newvulnerabilities are introduced with respect to EMF/EMI and accesscontrol. Due to the vulnerabilities to data presented by EMF/EMI,standard computers must be separated by a specified distance (e.g.,about one meter of separation between computers residing on each networkclassifications is specified by the U.S. Government). Such requirementscrowd workspaces and expand space requirements. Each desk space mustoffer at least 72-inches (plus the width of the computers) of floorspace, if three computers are required. The spacing and positioning ofadjacent workspaces is driven by the placement of computer at the firstworkspace. Multiple keyboards/mouse and monitors are required for eachcomputer on separated networks. Each keyboard/mouse and monitor requireeither individual wiring or require wiring to a Keyboard, Video, Mouse(KVM) switch that is implemented to combine operations of a single setof Keyboard, Mouse, and monitor to multiple computers. But even with atraditional KVM switch, the workspace is still cluttered with multiplewires; such wires have exposed connections, introducing potentialvulnerability for mis-wiring or misuse. Further, when multiple levels ofsecurity are introduced into a single workspace, the issue ofcontrolling personnel access to all of the security classifications ofcomputers becomes another issue. If any of the users in the workspace donot have the same level of “clearance” (i.e., permissions to access allof the information of all the classifications), then additional accesscontrol features and procedures must be implemented. Computers of thehighest level security classifications must be protected from those notholding the correct clearance. All of these measures are expensive tothe Government. The separation of computers cost the Government in termsof the size of work centers in order to separate computers.

Prior designs of a hardware based multilevel computer systems include,for example, (1) the use of complicated mechanical switching mechanisms(see U.S. Pat. No. 6,009,518), (2) the addition of complex circuitrywith relays and microprocessors controlled via automatic teller machine(ATM) styled keypads requiring a personal identification number (PIN)for switching from one network domain to another domain. (see, e.g.,U.S. Pat. Nos. 6,389,542, and 6,351,810), and (3) the use of EMI barrierwalls between computing components (see, e.g., U.S. Pub. No.20040107358). In the cases of approaches (1) and (2), the systems resultin a total loss of data and operator awareness when switching domainsand a significant amount of time is lost during switching, because suchswitching between domains/computers includes operating system andcomputer shutdown to disconnect from the first network domain and thenre-startup of the computer on the second network. In the case of thethird approach, it has been discovered that the barrier wall isinsufficient to adequately protect the electronic data of the individualcomputers from one another.

BRIEF SUMMARY OF THE INVENTION

The present approach is directed to a hardware based, multi-domain,multi-level computer system through the use of multiple computers housedwithin a single chassis. Some computer manufacturers build computerssuch as servers with multiple elements internal to a single chassis,generally with some form of common power supply or other power sharingarrangements for efficiency. That approach does not meet the securitystandards for the purposes of multi-level security required to safeguardagainst vulnerabilities created when computers are located within closeproximity to one another within a single chassis. Others have attemptedapproaches using a barrier wall, but this has been found ineffective toshield propagation and provide the required protection from EMF. Theindustry has not offered an approach that provides multiple computerswith their own, single shielded (Faraday Cage) sub-enclosures withspecialized access control features preventing tampering with thecomputer's inner components or network connections. Industry, the U.S.Government, and many foreign governments may have specifications for theoperation of computers in close proximity, but the present approach isthe only design to date that will safeguard against the vulnerabilitiesof such proximity in a single chassis.

Data may be compromised via rapidly changing electromagnetic fields (orEMF energy) when physical components or wiring are in close proximity toone another. As discussed above in the Background, this may be referredto as electromagnetic interference (or EMI), bleed over, or cross talk.Two general vulnerabilities exist to data in concern of EMF energypropagation. First, there is a possibility of one computer “jamming”another computer if the EMF generated by the first is “loud” enough (orof sufficient strength of propagated energy) to interrupt the logicaloperations of the second computer. This is referred to as EMI. Second,if two computers are in close enough proximity to one another, there isa risk or potential a user may “listen” to the generated EMF (orcompromising emanations) of the first computer from the second computer.While some efforts have been made to develop single domain computerenclosures that reduce the latter issue of compromising emanations fromoutside of a chassis (e.g., TEMPEST certified computers), there are noeffective approaches to addressing both issues in multi-domain,multi-level computer systems.

EMFs may extend in three directions, theoretically, infinitely. A simplebarrier between two computers within a single chassis has been foundinsufficient to avoid EMI; physically, such a barrier would need toextend infinitely to prevent propagation of the field from passingaround the barrier. In practice, a simple barrier needs to substantiallyexceed the dimensions of the computer. Further, any difference inmaterial between a barrier and a chassis has been found to introducediscontinuities; the difference in conductive properties of the twomaterials of the barrier and chassis disturbs the EMF, and collectsenergy at the seams. This collection of energy at the seam can propagateEMF through the barrier walls. A final consideration is that someapproaches have suggested the use of an iron chassis, which couldintroduce an awkward weight on the order of 300 pounds for such adevice.

For the purpose of use herein, a Faraday cage may be considered anenclosure formed with a conductive material, sometimes as conductivemesh. Such an enclosure is intended to block external static andnon-static EMF. Its operation depends on the fact that an externalstatic electrical field will cause the electrical charges within acage's conducting material to redistribute, so as to cancel the field'seffects within the cage's interior rather than allow the effects topropagate out. Such a cage may also shield the interior from externalEMF forces if the conductor is thick enough and any holes are engineeredto be smaller than the wavelength of the radiated EMF. For example,certain computer forensic test procedures of electronic systems thatrequire an environment free of electromagnetic interference can becarried out within a screen room. These rooms are spaces that arecompletely enclosed by one or more layers of a fine sheet metal orperforated sheet metal. The metal layers are grounded in order todissipate by conducting the energy along their dimensions any electriccurrents generated from external or internal electromagnetic fields, andthus they block a large amount of the electromagnetic interference. Thereception or transmission of radio waves, a form of electromagneticradiation, to or from an antenna within a Faraday cage are heavilyattenuated or blocked by a Faraday cage. A microwave oven provides anexample of a form of inside out Faraday cage, keeping EMF/RF energywithin its cage rather than keeping it out.

Embodiments disclosed herein include a multi-level computing systemhaving a single outer housing or chassis. The chassis is preferably thesize of a standard computer mid tower chassis, but can be larger orsmaller.

The system's single chassis encloses multiple, separate computers. It ispreferred that at least three computers are disposed within the system'ssingle chassis. In other contemplated embodiments, fewer or more thanthree computer devices may be enclosed within the chassis.

Each of the computers has an individual or dedicated power supply,separate and isolated from the power supplies of the other internalcomputer devices, thereby isolating data transfer from common powerswitching across a single electrical conductor path of a common powersupply.

Each internal computer is a separate physical instantiation of acomputer consisting of a motherboard, a CPU, memory, and power supply.In other words, these components are dedicated to a particular computer.Additional internal peripheral devices such as a hard disk drive, solidstate hard disk drive, Compact Flash memory, optical disk reader and orwriter, card reader, video adaptor card, network interface card, or anyother computer component may be included, but each is dedicated to oneand only one of the isolated computers with the exception of an internalkeyboard mouse, and video switch, as discussed herein.

The chassis may be constructed so that it is divided into isolated,shielded compartments or chambers established as separate Faraday cages.Each computer shall be housed in its own chamber/compartment that is aFaraday Cage. The chambers will thus wrap each computer domain in total,on all six sides or walls of the chamber volume. These six walls form aneffective EMF shield, with the walls configured so as to eliminate slotantenna effects along the seams of the walls. In this way, a Faradaycage (where EMF energy produced by each isolated computer), does notimpact the operation of the other computers that reside within thechassis, nor can the operation of one computer be “heard” from thechamber in which another computer is hosted. The properties of thematerial used to construct the chassis and the design of chambers inregards to EMF propagation, prevent the passage of any significant EMFenergy between each chamber within the chassis.

All chassis components are constructed of principally the same materialwith common electrical and magnetic conductivity properties, or acoating over the material with common properties of electrical andmagnetic conductivity, such that they will equally propagate EMF energyacross their surfaces rather than allowing the EMF energy to passthrough the material or to reshape the field where energy buildups inthe field would pass and result in potential EM interference.

Because each isolated computer is “wrapped” in a Faraday Cagearrangement, it is not possible to “listen” to the EMF propagated by acomputer inside of one chamber from an adjacent chamber within thechassis, nor is it possible for one internal computer to interfere withanother computer's operation through EMI or “jamming.”

Likewise, due to the materials and construction of the chambers,listening and interference between internal computers and externalcomputers or producers of EMF is also prevented. If the computersinternal to the device are isolated from one another, then they wouldalso be isolated from devices external.

The six walls of the chambers shall be manufactured with a sufficientlyhigh tolerance so that when assembled, all six walls of the threechambers/Faraday Cages are tightly mechanically connected, welded, ormeshed and at the same electrical and magnetic potential so that EMF isevenly dispersed within the chamber, energy is propagated across all thewalls of the compartment and does not excessively collect and penetratethe wall seams or corners of the compartments. Unlike a single twodimension barrier (with which the EMF will extend over the top, bottom,or ends), use of mechanical connections, welding, or meshing the sixwalls of the cage together will ensure the field remains effectivelywithin the chamber.

A potential Keyboard Mouse (KM) or Keyboard Video Mouse (KVM) switch maybe included internally mounted within one of the compartments of thechassis or its own chamber of the chassis.

The internal computers within the chassis shall be physically isolatedin their respective chamber except where a common KM or KVM is used.Wiring between each computer and the KM/KVM switch must be shielded toprevent transmission of EMF among the chamber through the KM/KVM wiringacting as an antenna between chambers. Wiring for a potentialKeyboard/Mouse or Keyboard/Video/Mouse switch shall pass between thechambers in a manner that prevents EMF propagation between chambersand/or may be grounded at the same electric potential as the FaradayCages. For convenience of reference, this is referred to as a “shielded”KM or KVM switch.

Design and construction of the chassis and chamber walls shall eliminateopenings that physically form slots between chambers or to the outsideof the chassis. Slots in the construction create the physics basedprinciple of a “slot antenna” which realigns the field, focusing EMFenergy along the slot, and effectually amplifies and directionallybroadcasts the energy, in this case either between the computing domainsor external to the chassis, depending on the location of a “slot”.

Components of the chassis, where required to prevent slot antenna, maybe sealed with special conductive materials such as EMF gasket materialat assembly time. EMF gasket material comes in many forms.

All penetrations in the chassis and internal chambers/compartments forthe purposes of switches or connectors shall be isolated to either thefront or rear walls of the chassis to prevent as much of the radiatedEMF from crossing boundaries between the compartments of the threeisolated computers or from the field aligning outside of the externalchassis and effecting another computer domain be effectively re-enteringthe chassis.

Where switches or connectors penetrate the front or rear of the chassis,they will be composed of a material of similar properties ofconductivity to the outer chassis. For instance, switches may be made ofcopper or brass with a nickel cladding or surface to disrupt the fieldas little as possible.

Holes in the front or rear of the chassis, such as ventilation holes,may be used in the chassis construction, but these may be engineeredspecifically in consideration of propagation of EMF. The holes may beengineered with reference to or for the size of the wavelength of thepropagated energy to prevent or attenuate the energy transmitted withinthe chassis between internal chambers or compartments, or external tothe chassis from any such chamber or compartment. External covers orpanels of the chassis may be joined with continuous welds or flanges toocclude EMF incident on the seams or line of joinder.

Where holes are required to be large in comparison to the propagatedwavelength, special EMF protective materials such as EMF mesh shielding,may be used to arrest the detrimental effects of the propagation of EMFenergy. Such materials may be tailored to the specific application, butgenerally those appropriate for occluding microwave propagation functionwell for the present approach. Such as in the case where ventilationfans may be desired in the rear of a chassis. The aperture of theventilation fan opening may be covered with a mesh EMF shield and thatshield may be grounded to the chassis to achieve a common electricalpotential.

Access to the internal components of the chassis may be facilitated bymeans of the top which may include or form an access cover plate or topaccess cover. This top access cover may be designed to prevent routineaccess to the internal computer components within the chassis. Thisdesign may be facilitated by a lock or other similar feature thatprevents access to the internal components of the computer unless a keyor special tool is used.

The rear of the chassis may have a removable “rear peripheral cover” orplate that may be customized to user preferences. This rear peripheralcover may be designed so that it is constructed of the same material asthe rest of the chassis and fastened in such a manner that it fitstightly to the rest of the chassis to provide a continuous electricalpotential. As with the top, special EMF gasket material may be used toassist in the tight fit, sealing, and electrical potential of the rearperipheral cover to the chassis when assembled.

The connectors to the network connections and peripheral devices such asUSB ports, keyboard and mouse ports, and video connections may beprotected by a cover and lock or similar secure mechanism. The lock orfeature that protects entry into the chassis internal components mayalso be the same locking mechanism that locks the peripherals fromaccess.

The internal computer components may have the additional access controlfeature of an electro-mechanical key lock in order to start the internalcomputers that control power to the power supply or motherboard. Thiskey lock may control all three power supplies or each power supply mayhave a separate key and lock.

The system may further include additional access control features suchas locks, smart cards, and encryption.

The system further supports multiple monitors, each monitor or group ofmonitors corresponding to a specific internal computer. However, in someinstantiations, a KVM switch can be used to switch the video output ofeach computer to a single monitor.

In general, the multi-level security computing system may have a chassishaving a front, top, bottom, and two sides, each comprising anelectromagnetic shield. Within the chassis are a first, second, andthird computer domain. Internal electronic components are dedicated bydomain, such that: a first computer domain comprises a firstmotherboard, a first dedicated bus, a first processor, a first datastorage device, and a first dedicated power supply; a second computerdomain comprising a second motherboard, a second dedicated bus, a secondprocessor, a second data storage device, and a second dedicated powersupply; a third computer domain comprising a third motherboard, a thirddedicated bus, a third processor, a third data storage device, and athird dedicated power supply. Optionally, the chassis may be adapted tomount to a standardized 19-inch rack.

The first, second, and third computer domains are enclosed within thechassis, with a first internal electromagnetic field shield locatedinside the chassis and interposed between the first computer domain andthe second computer domain to prevent data migration between the firstcomputer domain and the second computer domain, and a second internalelectromagnetic field shield located inside the chassis and interposedbetween the second computer domain and the third computer domain toprevent data migration between the second computer domain and the thirdcomputer domain. An aspect of this is that the first and second internalelectromagnetic shields are in the form of a first and second wall withthe first wall having a first perimeter and the second wall having asecond perimeter, the first perimeter in operable engagement with thechassis defining a first seam between the first perimeter of the firstwall and the chassis, the chassis and first wall configured with a firstflange along the first seam to occlude an electromagnetic field from thefirst or second computer domain incident on the first seam, the secondperimeter in operable engagement with the chassis defining a second seambetween the second perimeter of the second wall and the chassis, thechassis and second wall configured with a second flange along the secondseam to occlude an electromagnetic field from the second or thirdcomputer domain incident on the second seam.

The first computer domain, the second computer domain and the thirdcomputer domain are separated and electrically isolated so that noinformation is shared between or among any of the first computer domain,the second computer domain, and the third computer domain. In addition,the chassis with the first and second electromagnetic field shieldsbeing configured to form a first, second, and third Faraday cage aboutthe first, second, and third computer domains respectively. Accesscontrol may optionally be provided, with the chassis having a pluralityof covers, such as a top and back covers. These covers may provideaccess to at least a portion of the interior of the chassis and preventunauthorized access to the chassis.

A number of aspects or options are also disclosed. The multi-levelsecurity computing system may have one or more user data input devices;a user data input selector switch for alternatively coupling the one ormore user data input devices to the first computer domain, the secondcomputer domain, and the third computer domain without rebooting any ofthe first computer domain, the second computer domain, or the thirdcomputer domain; and wherein the first computer domain, the secondcomputer domain, and the third computer domain are adapted to beoperational at the same time.

A number of aspects or options are also disclosed. In some embodiments,the multi-level security computing system, the chassis and one or bothinternal electromagnetic field shields or walls may be fabricated of analuminum alloy, forming aluminum Faraday Cages. Optionally, a variety ofuser data input devices may be provided, with a user data input selectorswitch for alternatively coupling the one or more user data inputdevices to the first computer domain, the second computer domain, andthe third computer domain without rebooting any of the first computerdomain, the second computer domain, or the third computer domain; andwherein the first computer domain, the second computer domain, and thethird computer domain are adapted to be operational at the same time. Insome embodiments, one or more user interface devices may include akeyboard and a mouse.

In some embodiments, at least one of the second computer domain and thethird computer domain is a secure computer domain and the multi-levelsecurity computing system further comprising a smart card accesscontroller for authenticating users prior to allowing access to thesecure computer domain. In another embodiment, the first domain may beaccessed by a user without smart card authentication. Optionally, akey-lock power switch may be included, the switch having an associatedkey for powering on the first computer domain, the second computerdomain, and the third computer domain. A first reset button may beincluded for resetting the first computer domain without resetting thesecond computer domain or the third computer domain; a second resetbutton for resetting the second computer domain without resetting thefirst computer domain or the third computer domain; and a third resetbutton for resetting the third computer domain without resetting thefirst computer domain or the second computer domain. Power consumptionmay vary from 35, 50, 105, or 150 watts, depending on the application.

Further access control may be provided by a top panel lock forcontrolling access to internal components of the computer through a toppanel.

The system may have a display with a first video monitor associated withthe first computer domain; a second video monitor associated with thesecond computer domain; and a third video monitor associated with thethird computer domain. Optionally, the first video monitor may beadapted to display information from the first computer domain, thesecond video monitor adapted to display information from the secondcomputer domain, the third video monitor adapted to display informationfrom the third video domain, wherein the first, second, and third videomonitors are adapted to simultaneously display information.

These and other features as well as advantages, which characterize thevarious preferred embodiments of present invention, will be apparentfrom a reading of the following detailed description and a review of theassociated drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary embodiment of a system of the presentinvention.

FIG. 2 illustrates a block diagram of a processing unit.

FIG. 3 illustrates a front view of processing unit.

FIG. 4 illustrates a back view of a processing unit.

FIG. 5 illustrates a top view of a processing unit.

FIG. 6 illustrates a top view of a processing unit with a top coverremoved.

FIG. 7 is illustrates an internal view of the chassis during assembly

FIG. 8 is a front view of the chassis.

FIG. 9 illustrates an internal aspect of the unit.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Referring now to the drawings, in which like numerals represent likeelements, exemplary embodiments of the present invention are hereindescribed.

FIG. 1 illustrates an exemplary embodiment of a multi-level security(MLS) computing system 100, making use of the MLS computer or computingunit 110. The system 100 comprises a multi-level security computer orunit 110 in a single chassis 111, and is generally included with displaysystem 150. Chassis 111 defines a plurality of internal chambers 121,131, 141 (shown, e.g., in FIG. 5) within which are a plurality ofcomputer domains, shown in this embodiment as computer domains 120, 130,140. The chassis 111 may be constructed from lightweight, high strengthmaterial, which is also highly conductive of electromagnetic energy,such as aluminum.

As noted above, all chassis components are preferably constructed ofprincipally the same material with common electrical and magneticconductivity properties, or a coating over the material with commonproperties of electrical and magnetic conductivity, such that they willequally propagate EMF energy across their surfaces rather than allowingthe EMF energy to pass through the material or to reshape the fieldwhere energy buildups in the field would pass and result in potential EMinterference. The following table represents materials with the highestelectrical conductivity.

Material ρ (Ω · m) at 20° C. σ (S/m) at 20° C. Silver 1.59 × 10⁻⁸ 6.30 ×10⁷ Copper 1.68 × 10⁻⁸ 5.96 × 10⁷ Annealed copper 1.72 × 10⁻⁸ 5.80 × 10⁷Gold 2.44 × 10⁻⁸ 4.10 × 10⁷ Aluminum 2.82 × 10⁻⁸  3.5 × 10⁷ Calcium 3.36× 10⁻⁸ 2.98 × 10⁷ Tungsten 5.60 × 10⁻⁸ 1.79 × 10⁷ Zinc 5.90 × 10⁻⁸ 1.69× 10⁷ Nickel 6.99 × 10⁻⁸ 1.43 × 10⁷ Lithium 9.28 × 10⁻⁸ 1.08 × 10⁷ Iron 1.0 × 10⁻⁷ 1.00 × 10⁷

The following table compares materials to resistivity density.

Resistivity Density Resistivity-density Material (nΩ · m) (g/cm³)product (nΩ · m · g/cm³) Sodium 47.7 0.97 46 Lithium 92.8 0.53 49Calcium 33.6 1.55 52 Potassium 72.0 0.89 64 Beryllium 35.6 1.85 66Aluminum 26.50 2.70 72 Magnesium 43.90 1.74 76.3 Copper 16.78 8.96 150Silver 15.87 10.49 166 Gold 22.14 19.30 427 Iron 96.1 7.874 757

The inventors have discovered that aluminum is a preferred material,with a conductivity 3.5×107 (S/m) and a density of 2.70 (g/cm3). Itprovides sufficient conductivity in thin sheets to be light in weight,of good structural strength, and of feasible expense. While othermaterials may be suitable, such as copper or various alloys, dependingon the application and financial or weight considerations, aluminum isappropriate for many common applications. Prior efforts often focused onmaterials that were either impractical due to rarity and cost, orimpractical due to material characteristics. For example, densematerials such as iron would be impractical for the application due tothe weight of the end product (as noted above, on the order of 300pounds or more.)

By way of an overview, FIG. 1 shows front 111 a of chassis 111 (forreference of perspective, sides 111 b, back 111 e, and bottom 111 d maybe seen in FIG. 3, while top 111 c and back 111 e may be seen in FIG. 7)FIG. 3 shows chassis 111 open for assembly, while FIG. 7 shows chassis111 after assembly. As shown in FIG. 7, any access doors to an interiorof chassis 111 may have security locks such as lock 116 in rearperipheral cover 114, for limiting access to peripherals, cables, orcomponents within chassis 111. In a contemplated embodiment, the chassis111 may be sized and configured to be mounted on a standardized (EIA310-D, IEC 60297 and DIN 41494 SC48D) 19-inch rack.

The MLS computing unit 110 may comprise a plurality of computer domains,each enclosed within a dedicated or separate chamber 121, 131, 141 ofchassis 111 as best seen in FIG. 4. For example, the MLS computing unit110 may comprise a first computer domain 120, a second computer domain130, and a third computer domain 140 with each located in its own,dedicated or corresponding chamber 121, 131, and 141. Computer domains120, 130, 140 may have different levels of security classificationdepending on the user's requirements and/or preferences. For example,computer domains 120 may be UNCLASSIFIED, computer domain 130 may beSECRET, and computer domain 140 may be TOP SECRET.

The display system 150 may be any number of types of displays, so longas they are adapted for the number of computer domains and application.Display system 150, for example, may be a single or multiple monitorembodiment, as required for displaying the output of the variouscomputer domains. Further, the type and number of video output of theinternal computer domains depend on desired motherboards and/or anyvideo adaptors. A consideration is the ability to simultaneously displaysuch output. As shown for the embodiment in FIG. 1, display system 150may comprise a first monitor 151, a second monitor 152, and a thirdmonitor 153, each corresponding to a respective computer domain.

FIG. 2 illustrates a block diagram of MLS computing unit 110. Withinchassis 111 are independent computer domains 120, 130, and 140 thatinclude, but are not limited to, computing hardware and electronicsnecessary for executing a computer operating system. Computer domains120, 130, and 140 include, respectively, a processor or CPU 120 a, 130a, 140 a (i.e., for convention, such structure may also referred to asfirst CPU 120 a, second CPU 130 a, and third CPU 140 a, etc.), a memoryor data storage device 120 b, 130 b, 140 b, a PHC 120 c, 130 c, 140 c, adedicated power supply 120 d, 130 d, 140 d, a motherboard 120 e, 130 e,140 e (with dedicated internal and external bus), and peripheral I/Ointerfaces 120 f, 130 f, 140 f. It may also include other devices suchas a HDD, an optical drive, video adaptor, smart card drive or reader,or other conventional computer devices. Optionally, the electroniccomponents of the enclosed computer domains 120, 130, and 140 may beminiaturized, and may use computing components designed for mobileapplications to reduce power consumption. In practice, the shape andfootprint may be customized to accommodate miniaturized components,depending on the application.

Each individual or independent computer domain 120, 130, 140 may becontrolled, started, re-booted, etc., independently, without affectingthe others. Each computing domain 120, 130, 140 may have its ownelectromechanical switch associated with dedicated power supplies 120 d,130 d, 140 d, that may control (energize or de-energize) its respectivepower supply for access control. Normal dedicated reset switches mayalso be provided.

Depending on the application, a Keyboard/Video/Mouse (KVM) orKeyboard/Mouse (KM) selector switch may be provided, which is sometimesreferred to as KM/KVM Switch 162. A KM switch may be used to associatecomputer domains with a single keyboard and mouse. Some applications mayrequire a dedicated monitor or monitors to each computer domain whileother users may re-associate a single monitor display among eachcomputer along with the keyboard and mouse with a KVM switch. FIGS. 1and 2 illustrate a configuration where display system 150 comprisesthree separate monitors 151, 152, 153, which may be associated one toeach of computer domains 120, 130, 140.

FIG. 3 illustrates the outer chassis, 111, of an embodiment. Note theouter chassis 111 may be constructed of the same material, in this casealuminum, with welds at the abutments and four corners of the front 111a, back 111 e, sides, 111 b, top 111 c (not shown), and bottom 111 d.Also shown are fasteners 119 in the bottom 111 d of chassis 111 forsecuring the first and second internal barrier walls 125, 135 (notshown) that will make internal sides of the internal Faraday cages. Alsonote the ventilation holes in the outer chassis engineered to a sizesmaller than the wavelength of the propagated frequency of the EMF.

FIG. 4 shows an open outer chassis 111, with first and second internalelectromagnetic shields in the form of internal barrier walls 125, 135.Internal walls 125, 135 may be installed and mechanically fastened attheir respective first and second perimeters to the bottom 111 d, front111 a, and back 111 e of chassis 111. When rear cover 114 and top cover113 (not shown) are installed, chassis 111, with walls 125, 135separates and compartmentalizes computer domains 120, 130, 140 (notshown) within chambers 121, 131, 141; these chambers form multipleFaraday cages, shielding each computer domain from EMF of the othercomputer domains. Note the EMF gasket material 157 at the top perimeterof internal barrier walls 125, 135 to seal the seam formed with top 111c (not shown).

In particular, first wall 125 may be viewed as having a first perimeterand second wall 135 may be viewed as having a second perimeter. Theperimeters of first and second walls 125, 135 are in operable engagementwith chassis 111, defining a corresponding first and second seam withouter chassis 111 (i.e., front 111 a, top 111 c, back 111 e, and bottom111 d). First wall 125 is configured with a first flange 125 f along thefirst seam and second wall 135 is configured with second flange 135 falong the second seam. Operable engagement may be accomplished by aplurality of fasteners 119 shown fastening first and second walls 125,135 to chassis 111; fasteners 119 may be fabricated of the same materialas chassis 111 to reduce differences in conductivity. In this view, itmay also be seen that EMF gasket material 157 may be provided at theseams formed with first and second walls 125, 135 to further impair thepotential for forming slot antennae.

Thus, in this exemplary embodiment, the first computer domain 120 andsecond computer domain 130 are separated internally by a first wall 125.The second computer domain 130 and third computer domain 140 areseparated internally by a second wall 135. First and second flanges 125f, 135 f, with fasteners 119 and EMF gasket material 157, operate toocclude EMF incident on the respective first and second seams formed byfirst and second walls 125, 135 at chassis 111. In this way, first andsecond walls 125, 135 may be electromagnetic field shields withinchassis 111 and, with chassis 111, operate to prevent data migrationacross domains. First and second walls 125, 135, along with the otherportions of chassis 111, are thereby configured to form three Faradaycages about chambers 121, 131, 141 and each computer domain, therebypreventing data migration via EMF among domains, and EMF propagationoutside chassis 111 as well.

FIG. 5 shows the same chassis 111 as in FIG. 4, but with the rearperipheral panel 114 a set in place on the chassis 111. Once in place,the rear peripheral panel 114 a seals against an EMF gasket 157 (notshown), and provides a rear flange 114 f for the top access cover 113(not shown) when it is secured into place. Also note the fans and outerfan guards 156 have been installed in an outer portion of chassis 111.Between the fans and fan guards 156 may be a special EMF filter (muchlike an EMF filter on the front glass of a microwave) installed andgrounded against the chassis 111 so the EMF filter is at the sameelectrical potential as the chassis.

FIG. 6 illustrates a front view of a fully populated outer chassis 111with first and second walls 125, 135 in place, front 111 a, rearperipheral panel 114 a fastened, and computer domains 120, 130, 140installed. This view permits note of devices, such as a locking HDD andan optical drive, associated or dedicated to a particular domain, whichdevices may be sealed or wrapped about with EMF gasket material 157. Thechassis 111 may comprise a plurality of access covers, such as topaccess cover 113, rear peripheral cover 114, or other access panels orcovers that provide or securely controls access (e.g., by mechanicallock) to controls of computer domains 120, 130, and 140 (e.g., ON/OFF,Reset, HDD, etc.).

Computer domains 120, 130, and 140 may optionally include card combodrives, whether cryptographic, or other smart card reader, PCMCIA slotor other such drive, etc. A smart card may be connected only on asecured domain which provides access to authorized users only, forexample. In some embodiments, the MLS computer 110 may employ a separatesmart card reader, such as a standard ISO7816 reader, allowing a user,such as a government agency, to select desired authentication software.

The computer domains 120, 130, and 140 may each comprise removable harddrives 122, 132, and 142. The removable hard drives 122, 132, and 142may have built-in key/locks to allow removal for safe storage when theMLS computing unit 110 is not in use or is being transported betweensecure facilities. The computer domains 120, 130, and 140 may includeCD/DVD combo drives 124, 134, and 144. Optionally, some embodiments mayhave computer domains 120, 130, and 140 with a dedicated power key lock161 and/or reset buttons, so that a user may independently control orreset any of the computer domains 120, 130, and 140.

The KVM/KM selector switch 162 can allow a user to re-associate thekeyboard and mouse and/or video among computer domains 120, 130, and140. The KVM/KM switch 162 can be mechanical, electrical, orelectromechanical, depending on the application.

The MLS computing unit 110 may further comprise one or more power keylocks 161. The power key lock 161 is preferably electromechanical, andembodiments of a single power key lock 161 may be in the form of amaster, with separate dedicated power control for each domain. A mastermight control all power to MLS computing unit 110, for example. The usermay turn on or off one or more of the computer domains 120, 130, and 140using power key lock 161. As noted above, a separate key lock may beincluded for each computer domains 120, 130, 140. A power key lock 161may turn on or off all of the computer domains 120, 130, and 140 at once(i.e., a master), or it can affect only the domain selected by a KVM/KMselector switch 162, or embodiments may be provided with a power keylock 161 one per domain. Preferably the power key lock 161 is similar tothe ignition key lock of a vehicle, i.e., a user must insert andpreferably turn a key to turn the power on. Similarly, reverse turningand removing the key can turn the power off. The power key lock 161 maybe configured to require that the key remain in the lock duringoperation of the MLS computing unit 110.

FIG. 7 illustrates a back view of a MLS computing unit 110. As discussedabove, the unit 110 may be housed within a single chassis 111. The back111 e of the chassis 111 may comprise a rear peripheral cover 114. Therear peripheral cover 114 may include a rear peripheral cover lock 116for securely closing the rear peripheral cover 114 and providing accesscontrol when locked.

The back 111 e of chassis 111 may include a rear peripheral panel 114 awith common interface ports corresponding to computer domains 120, 130,140 of the MLS Computer 110. These may be individual panels or a singlepanel. The rear peripheral cover 114 may be opened to provide access tothe rear peripheral panel 114 a when the lock 116 is unlocked and therear peripheral cover 114 is opened.

The common interface ports may preferably include normal computerperipheral ports, depending on the application. The ports may include:video outputs; video inputs; USB ports; keyboard and mouse ports; serialports, network ports; and other suitable ports for interfacing withdevices or the MLS computer 110, as may be desired. The rear peripheralcover 114 may include apertures, indentations, or openings toaccommodate cables coupled to any of the ports of rear peripheral panel114 a. This enables the rear peripheral cover 114 to be closed andlocked while various cables may remain securely coupled to ports. Theopenings may be large enough to accommodate the cables passing throughthem, but small enough to prevent attachment or detachment of cableswhen closed. The rear peripheral cover 114 prevents unauthorized usersfrom manipulating network cables between the secured and unsecureddomains as well as preventing removal of other devices such asvideo/keyboard/mouse cables.

The back 111 e of the chassis 111 may further include vents for fans(not shown) of each of the computer domains 120, 130, and 140. Further,chassis 111 may include a power plug receptacle or receptacles foraccepting an external power supply and a power switch. Additionally,chassis 111 may include an alarm switch 117 on an access panel to theinternal components.

FIG. 8 illustrates an assembled embodiment of the MLS computing unit110. Chassis 111 may have a top 111 c that comprises a top access cover113. The top access cover 113 may include a top cover lock 115 foraccess control. The top cover lock 115 is preferably mechanical.Unlocking the top cover lock 115 enables or permits access to thecomponents such as the mother boards, memory, video cards, etc. of thecomputer domains 120, 130, and 140. Access to the key for the top coverlock may be restricted to authorized users. In lieu of a locking top, analarm system may be used to alarm if the top is opened or used inconjunction with the locking top.

FIG. 9 illustrates a front and top view of the MLS computer 110 with thetop access cover 113 (not shown) removed. The computer domains 120, 130,and 140 are disposed within the case 111 and are separated by first andsecond internal EMF shields in the form of first and second walls 125,135 of the chassis 111 structure. Each computer domain 120, 130, and 140comprises the electronic processing components discussed above. Thecomputer domains 120, 130, and 140 preferably include rear peripheralpanel 114 a located on the back 111 e of the unit 110 enabling interfacewith the components of the domains.

Implementing a physical hardware access control of the speciallyconstructed chassis 111 via a hardware lock/key cover for the front ofthe chassis 111 as well as the back, ensures a solid access control tothe physical hardware itself, even before the computer might be turnedon, as with an electro-mechanical power supply key lock.

All penetrations in the chassis 111 and internal chambers 121, 131, 141for the purposes of switches or connectors 155 shall be isolated toeither the front or rear of the chassis 111 to prevent as much of theradiated EMF from crossing boundaries between the compartments of thethree isolated computers or from the field aligning outside of theexternal chassis and effecting another computer domain be effectivelyre-entering the chassis.

Where switches or connectors 155 penetrate the front or rear of thechassis 111, they may be composed of a material of similar properties ofconductivity to the chassis 111. For instance, connectors 155 may bemade of copper or brass with a nickel cladding or surface to disrupt thefield as little as possible.

FIG. 9 is a detail of chassis 111 with KVM selector switch 162 shown,with chassis 111 open during assembly.

Aspects of some embodiments may be illustrated by describing optionalaccess procedures. The MLS computer 110 may be accessed by inserting aphysical key into a mechanical key lock on a cover mounted on chassis111, possibly with a tamper-proof metal hinge. Upon opening the coverand powering-on MLS computer 110, computer domains 120, 130, and 140 maythen become active and access to an unsecured domain, optionally such ascomputer domain 140, may be provided as a default configuration.

Access to the secured domains in some embodiments, optionally such ascomputer domains 120 and 130 may be restricted by smart card, forexample. An authorized user might be required to enter a personal IDcard into a smart card reader to be allowed access to the securedcomputer domains 120 and 130. A personal identification number may berequired entered and validated, so then a user may proceed and accessthe secured computer domains 120 and 130, or perhaps a classifiednetwork. When an authorized user wishes to switch to the unsecuredcomputer domain 140, the user may select the desired by toggling KM orKVM selector switch 162. The authorized user can switch back to thesecure domain by pressing the secured button on the domain selectionswitch 162 within less than a second without re-powering or re-bootingdomains and without a loss of data on either domain.

In some embodiments, the security features of the MLS computer 100 mayinclude access control, identification, authentication, and switchingmechanisms that are entirely hardware based. Access control may requirea key administrator with an access key #1 to unlock a cover for access(e.g., top access cover 113) and a user with access key #2 to turn onthe system by inserting the key #2 into a power key lock. The keyadministrator may also use access key #1 to unlock the any cover locks,allowing access to items such as cable connections, rear peripheralpanel 114 a, etc., in order to maintain network cables and otherhardware connections. Optionally, authorized users with possession of anaccess key #3 may unlock and remove a removable hard drive from computerdomains 120, 130, and 140.

One optional aspect of such embodiments is that once a key administratorunlocks a cover with key #1 and a user turns on the computer with key#2, the user may then operate the default unsecured domain, such ascomputer domain 140. To access the classified secure domains, such ascomputer domains 120 and 130, the user may be required to initiateidentification and authentication access control by inserting a smartcard into a reader. After the smart card has been authenticated, a usermay be required to enter a valid PIN number issued by the keyadministrator before being allowed to access secure computer domains 120and 130.

Once access is granted, optionally data stored on any hard drives ofsecured computer domains 120 and 130 may be encrypted/decrypted, forexample, with a FIPS 140-2 certified cryptographic card. Cryptographiccards may be uniquely serial numbered to its MLS computer 110. Uponshutdown, a user may use access key #3 to remove drives or other mediato store them in a secure location.

In some embodiments, when only an unsecured domain, such as computerdomain 140 is accessed, a user may be limited to information within thatdomain. Consequently, the display system 150 may be limited to displayinformation from the unsecured domain 140. When one of the secureddomains, such as computer domains 120 and 130 is accessed, the user mayaccess information with the secured domain and the unsecured domain.Therefore, display system 150 may present information from the secureddomain and the unsecured domain 140. For example, if a secured domain isaccessed, monitor system 150 may display the desktop of the secureddomain and the unsecured domain.

Optionally, chassis 111 may have a cover alarm that can sound in theevent of an unauthorized removal of top cover 113. A key administratormay turn the cover alarm off by, for example, inserting key #2 into thealarm switch, which might be located at the rear 111 e of the chassis111.

As indicated above, one embodiment of the MLS computing system 100 maycomprise an MLS computing unit 110 with three compartmentalized andindependent hardware-based domains, each with a dedicated power supplyhardwired to electrical communication solely within its domain. Forexample, first computer domain 120 may have power supply 120 d separatedfrom other power supplies 130 d, 140 d by the respective Faraday cage,and primarily first and second walls 125, 135 as electromagnetic fieldshields. In particular, dedicated power supplies avoids signals fromtravelling though shared wiring or other electrical components.

One embodiment of the MLS computing unit 110 may include combinations ofthe following components: chassis 111 as an SSI case; Domain selectorswitch 4 port; SSI power pack; Processor/CPU—Intel Pentium IV.times.3;Motherboard—Industrial P4.times.3; Chipset—Intel 440BX; BIOS: 2 MB AMIFlash BIOS and APM 1.2, DMI 2.1, Plug and Play; Memory—1 GB DDR333.times.3; Video—(64 MB) Intel (build-in); Hard Drives: 80.0 GB ATA3.5″ (removable, Unsecured domain), 80.0 GB ATA 2.5″ (removable, firstsecure domain), 80.0 GB ATA 2.5″ (removable, second secure domain),3.5-inch removable SECURE hard drive case.times.3, CD-ROM: CD-ROMdrive.times.2 (slim, first and second secure domains); DVD/CDRWdrive.times.1 (slim, unsecured domain); Network Interface Card(NIC)—Intel.times.3; Keyboard—STC E05300; Mouse or Trackball;Monitor—LCD.times.3; Sound Card—Creative SB 16; Speakers—Mli-699;tamper-proof case; SmartCard identification and authenticationdrive.times.2 (3 d optional); operating system—Windows XP Pro; keys #1,2, 3 (one set).

Optionally, the keys used in an MLS computing system 100 may be illegalto duplicate and may be clearly identified on the face of each key asbeing illegal to duplicate. Additionally, each key may be unique to acorresponding lock such that no two systems may be accessed the samekey. In another contemplated embodiment, a single key may be employedper MLS computing unit 110 that can access all of the locks associatedwith the chassis 111 and MLS computing unit 110.

While the various embodiments of this invention have been described indetail with particular reference to exemplary embodiments, those skilledin the art will understand that variations and modifications can beeffected within the scope of the invention as defined in the appendedclaims. Accordingly, the scope of the various embodiments of the presentinvention should not be limited to the above discussed embodiments, andshould only be defined by the following claims and all applicableequivalents.

It is claimed:
 1. A multi-level security computing system, comprising: achassis having a front, top, bottom, and two sides, each comprising anelectromagnetic shield; a first computer domain comprising a firstmotherboard, a first dedicated bus, a first processor, a first datastorage device, and a first dedicated power supply; a second computerdomain comprising a second motherboard, a second dedicated bus, a secondprocessor, a second data storage device, and a second dedicated powersupply; a third computer domain comprising a third motherboard, a thirddedicated bus, a third processor, a third data storage device, and athird dedicated power supply; the first, second, and third computerdomains enclosed within the chassis, with a first internalelectromagnetic field shield located inside the chassis and interposedbetween the first computer domain and the second computer domain toprevent data migration between the first computer domain and the secondcomputer domain, and a second internal electromagnetic field shieldlocated inside the chassis and interposed between the second computerdomain and the third computer domain to prevent data migration betweenthe second computer domain and the third computer domain; wherein thefirst and second internal electromagnetic shields comprise a first andsecond wall with the first wall having a first perimeter and the secondwall having a second perimeter, the first perimeter in operableengagement with the chassis defining a first seam between the firstperimeter of the first wall and the chassis, the chassis and first wallconfigured with a first flange along the first seam to occlude anelectromagnetic field from the first or second computer domain incidenton the first seam, the second perimeter in operable engagement with thechassis defining a second seam between the second perimeter of thesecond wall and the chassis, the chassis and second wall configured witha second flange along the second seam to occlude an electromagneticfield from the second or third computer domain incident on the secondseam; the first computer domain, the second computer domain and thethird computer domain being separated and electrically isolated so thatno information is shared between any of the first computer domain, thesecond computer domain, and the third computer domain; and the chassiswith the first and second electromagnetic field shields being configuredto form a first, second, and third Faraday cage about the first, second,and third computer domains respectively.
 2. The multi-level securitycomputing system of claim 1, wherein the chassis and the first andsecond electromagnetic field shields are fabricated of an aluminumalloy.
 3. The multi-level security computing system of claim 1, furthercomprising: one or more user data input devices; a user data inputselector switch for alternatively coupling the one or more user datainput devices to the first computer domain, the second computer domain,and the third computer domain without rebooting any of the firstcomputer domain, the second computer domain, or the third computerdomain; and wherein the first computer domain, the second computerdomain, and the third computer domain are adapted to be operational atthe same time.
 4. The multi-level security computing system of claim 3,wherein the one or more user interface devices comprise a keyboard and amouse.
 5. The multi-level security computing system of claim 1, whereinat least one of the second computer domain and the third computer domainis a secure computer domain and the multi-level security computingsystem further comprising a smart card access controller forauthenticating users prior to allowing access to the secure computerdomain.
 6. The multi-level security computing system of claim 5, whereinthe first domain may be accessed by a user without smart cardauthentication.
 7. The multi-level security computing system of claim 1,further comprising: a key-lock power switch having an associated key forpowering on the first computer domain, the second computer domain, andthe third computer domain.
 8. The multi-level security computing systemof claim 1, further comprising: a first reset button for resetting thefirst computer domain without resetting the second computer domain orthe third computer domain; a second reset button for resetting thesecond computer domain without resetting the first computer domain orthe third computer domain; and a third reset button for resetting thethird computer domain without resetting the first computer domain or thesecond computer domain.
 9. The multi-level security computing system ofclaim 1, wherein the total power consumption of the first computerdomain, the second computer domain, and the third computer domain are nomore than 150 watts.
 10. The multi-level security computing system ofclaim 1, wherein the total power consumption of the first computerdomain, the second computer domain, and the third computer domain are nomore than 105 watts.
 11. The multi-level security computing system ofclaim 9, wherein the total power consumption of the first computerdomain is no more than 50 watts.
 12. The multi-level security computingsystem of claim 10, wherein the total power consumption of the firstcomputer domain is no more than 35 watts.
 13. The multi-level securitycomputing system of claim 1, further comprising a top panel lock forcontrolling access to internal components of the computer through a toppanel.
 14. The multi-level security computing system of claim 1, furthercomprising EMF gasket material interposed between the first and secondflanges and the chassis.
 15. The multi-level security computing systemof claim 1, further comprising a display having a first video monitoradapted to display information from the first computer domain, a secondvideo monitor adapted to display information from the second computerdomain, and a third video monitor adapted to display information fromthe third computer domain, wherein the first, second, and third videomonitors are adapted to simultaneously display information.
 16. Themulti-level security computing system of claim 1, the chassis adapted tomount to a standardized 19-inch rack.
 17. The multi-level securitycomputing system of claim 1, the chassis having a plurality of accesscovers including a top cover and a back cover for providing access to atleast a portion of the interior of the chassis and a top cover lock forpreventing unauthorized access to the chassis through the top cover; anda back cover lock for preventing unauthorized access to the chassisthrough the back cover.